CN102185847B - Malicious code network attack evaluation method based on entropy method - Google Patents

Abstract

The invention provides a design scheme of a malicious code network attack evaluation method based on an entropy method. A design scheme of constructing malicious code network attack effect evaluation is proposed by using network entropy. The method comprises the steps of collecting variation situations of functional indexes including CPU utilization rate, network traffic, network delay, memory utilization rate and the like in real time in the process of the network attack; normalizing the related indexes collected for multiple times so that each attack index can be compared and analyzed at the same level; describing the attack effect by using the entropy method; figuring out a weight coefficient of each attack index according to the importance of the evaluation index in an evaluation index system; and finally quantitatively determining an effect of the malicious code network attack.

Description

Based on the malicious code network attack evaluation method of Information Entropy

Technical field

The present invention proposes the malicious code network attack recruitment evaluation design based on Information Entropy, mainly solve the problem of objective quantitative assessment malicious code network attack effect, belong to information security field problem.

Background technology

Along with the Internet development, technology is constantly brought forth new ideas, and network malicious code is also at development, and assault is very rampant, not only affects netizen's normal online, the property safety that also endangers netizen.2008, the malicious code quantity such as the newly-increased computer virus of China, wooden horse were explosive growth, and total quantity has broken through ten million.The Internet of modularization, specialization and virus " operation " pattern that malicious code is manufactured changes into the three large notable features into malicious code development.Web page horse hanging, leak are attacked becomes the main channel that hacker makes a profit.The first half of the year in 2009, " Jinshan anti-virus software " viral epidemic situation and internet security report showed, the sample number of the newly-increased malicious code of Chinese every monthly average is all more than 1,000,000.

The Internet emergency center (CNCERT) operation portion of country once pointed out, China has become the injured country of network attack maximum.Had at present hundreds and thousands of ten thousand computer infected on the net wooden horse or bot program, and controlled by various hackers, become so-called " meat machine ". in the darkSeptic yanks are the adventurous headman of network arms race especially, is studying energetically network warfare theory, building network opportunity of combat structure and army, and development network warfare weaponry, carries out network warfare white silk and drills.U.S. army is one of base model using the network warfare as information war, writes its operational doctrines.Up to now, US Department of Defense and each services have all been set up network warfare mechanism and army.U.S. defence expert Qiao Er. Harding's estimation, American Forces Network war army reaches nearly 90,000 people.According to statistics, U.S. army has developed 2000 multiple network war Virus weapons.In March, 2008, U.S. army has held the large scale network war manoeuvre of code name " network storm ", to check the network security of the U.S. and the ability of reply network attack.That participates in current manoeuvre has departments such as U.S. Department of Defense, the Central Intelligence Agency, FBI, also has the countries such as Britain, Australia, Canada.In June, 2009, US Department of Defense head Gates declaration, " network warfare headquarter " formally set up in the U.S..This headquarter is subordinate to U.S. army's strategic headquarter, by a four-star, is led, and is responsible for the network warfare action of unified command U.S. army.In the 4 years task and mission assessment report > > of < < that newly put into effect at the beginning of 2009, eight kinds " core competence " that U.S. army need to develop have been enumerated by US Department of Defense, comprise network warfare ability.US Department of Defense proposes, and in view of U.S. army enjoys advantage at regular operational front, will give priority to from now on the novel fight capabilities such as irregular warfare ability, the particularly network warfare.

As far back as calendar year 2001, the < < network warfare > > research report that research office of US Congress delivers is just declared, according to U.S. official, estimate, the country that the U.S. is formed to Cyberthreat is nearly 20 several.Not only there are the military powers such as Russia, Britain, France, Germany, Japan in the country that has network warfare fight capability, also comprises the developing countries such as Korea, Iran, Syria, Cuba, India, Libya.In recent years, construction and the integration of network warfare ability further accelerated in countries in the world.In May, 2008, NATO has set up " cyber-defence Cooperation Centre " in Tallin, Estonia capital.This center is a supranational institution, to member state of all NATO, opens.At present, state's signed memorandums of understanding such as Estonia, Latvia, Lithuania, Germany, Italy, Slovakia and Spain, become sponsor nation, promise to undertake that Xiang Gai center provides the relevant personnel and funds.The major responsibility at this center is by education and scientific research activity, between country of reinforcement NATO, in the cooperation of the aspects such as intelligence sharing, improve cyber-defence ability, and how research to be according to the problem of NATO's common defence principle reply network attack.Recently, British government announces, will set up " network security office ", responsible develops network defence capability, and hits back while suffering network attack in Britain.Korea S defence official also announces, will set up network warfare headquarter in 2010, to improve its network attack and defense ability.

Technique of Computer Network Attack Effect Evaluation technology is significant in the security evaluation process of information system: on the one hand, and the security feature that network struction department can checking system by the simulated strike to information network and self-assessment; On the other hand, in counterattack during from enemy's malicious attack, Technique of Computer Network Attack Effect Evaluation technology can be strikeed back pattern and counterattack intensity provides suitable countermeasure for network.

Summary of the invention

Technical problem: for network warfare platform, in the urgent need to setting up a set of effective network attack evaluation method, promote the lifting of system network safety adaptive capacity, thereby improve reply network attack resistivity.This method, for the attack of network malicious code, is utilized entropy appraisal procedure, sets up the malicious code network attack evaluation method based on Information Entropy.

Technical scheme: design of the present invention is utilized network entropy, proposes to build malicious code network attack recruitment evaluation design.In the process of network attack, Real-time Collection comprises the situation of change of the functional parameters such as cpu busy percentage, network traffics, network delay and memory usage; Index of correlation for multi collect is normalized, thereby make each attack index, can in same level, carry out comparative analysis; Utilize Information Entropy to attack effect is described; Significance level according to evaluation index in evaluation index system is obtained each and is attacked the weight coefficient of index, the effect that last quantitatively definite malicious code network attack reaches.

The flow process of a kind of malicious code network attack evaluation method based on Information Entropy of the present invention is as follows:

Step 1: network attack experiment, by the control to correlation attack instrument, realizes the attack to destination host;

Step 2: the direct object of attack is to realize the variation of corresponding index, and change indicator comprises cpu busy percentage, network traffics, network delay and memory usage; According to the analysis of the feature to Denial of Service attack, by network bandwidth occupancy, CPU usage, memory usage, the several indexs of network delay, assess denial of service class attack effect;

Step 3: for the normalization of the index of correlation gathering, concrete processing method is as follows:

1) data all adopt the mean value of measuring for four times;

2) cpu busy percentage adopts low disturbance state value to deduct the CPU value that download tool takies;

3) cpu busy percentage and memory usage, because data before and after attacking increase to some extent, are therefore adopted 1 and are deducted V as normalized value;

4) the normalization mode of speed of download is V/Vs, wherein the highest speed of download 12.5MB/S of Vs network; 5) network prolongs

Slow normalization mode is V/Vs, and wherein maximum network postpones Vs definition 30ms;

Step 4: ask entropy: as 0≤V2≤V1≤V _gtime, utilize Δ H=-log ₂(V ₂/ V ₁) formula calculating entropy; As 0≤V1≤V2≤V _gtime, utilize Δ H=-log ₂((1-V ₂/ V _g)/(1-V ₁/ V _g)) formula calculating entropy;

Wherein: V1 represents the network index before attack, the network index after V2 representative is attacked, V _grepresent network index maximum, △ H is the entropy after calculating;

Step 5: adopt w' _j=log ₂n-H (X _j) ' j=1,2 ... m and

two formula are determined evaluation index X _jweight coefficient w _j;

Wherein: X _jrepresent evaluation index, w ' _jrepresent weight coefficient, w _jrepresent the evaluation index X through normalized _jweight coefficient; N represents the evaluation index of sample; M is the number of evaluation index;

Step 6: pass through formula draw comprehensive evaluation effect;

Wherein: △ H is the entropy that step 4 calculates, w _jrepresent the weight coefficient that step 5 calculates.

Beneficial effect: the present invention program has proposed the malicious code network attack recruitment evaluation design based on Information Entropy, be intended to the threaten degree that the attack of accurate evaluation malicious code brings to network, and clearly performance and the effect of more different attack patterns.This method tool has the following advantages:

(1) validity of method, effective and reasonable for the qualitative assessment of Network Attack Effects.Illustrating, from the result of calculation of table 1 and table 2, can see, there is larger otherness in the entropy of each index, and effect is obvious.As the dos attack instrument of major effect network speed, make the changes of entropy maximum of speed of download before and after attacking.The final weighted value of measurement index has embodied the stability of entire system as a whole, for example, when a main frame uses dos attack to attack, after its weighting, value is 0.093, and two main frames use dos attack to attack simultaneously, after its weighting, value is 0.114, be greater than 0.093, be therefore subject to the stability of a system after the dos attack of two main frames poorer than the stability after the dos attack that is subject to a main frame, the effect of network attack is better.

Table 1 is used the index analysis of another main frame of dos attack on a main frame

Table 2 makes another main frame of dos attack on two main frames

(2) validity of appraisal procedure, effective and reasonable for the qualitative assessment of Network Attack Effects; The reasonability of appraisal procedure, consider that diverse network attack factor exists a lot of difference as what network was downloaded utilance of fast record, CPU and internal memory etc. on data unit and numerical value, cannot directly compare, by this method, the evaluation index of various attack reasonably can be placed in same level and carry out comparative assessment, make the synthetic performance evaluation of malicious code more rationally effectively;

(3) objectivity of appraisal procedure, the ability of the intensity of variation reflection evaluation index difference evaluation object of the evaluation index of Information Entropy, intensity of variation is lower, and to distinguish the ability of evaluation object more weak, correspondingly can think that the significance level of this evaluation index in evaluation index system is lower, also the weight of this evaluation index is less.

Accompanying drawing explanation

Fig. 1 is the malicious code attack effect evaluation design flow chart based on Information Entropy.Show Technique of Computer Network Attack Effect Evaluation execution flow process of the present invention.

Fig. 2 is experimentation dendrogram.Be indicated as the example experiment process of the validity of checking the inventive method.

Embodiment

One, systems approach

Network security performance evaluation index quantizes it by correlation method after choosing, and can obtain the security metrics of network system, and before and after attacking, the fail safe difference of network system just can be used as of attack effect and estimates.While carrying out attack effect evaluation, care be the variation of security performance before and after network system is attacked, provide " the network entropy " of evaluating network performance." network entropy " is that the one of network security performance is described, and network entropy is less, shows that the fail safe of this network system is better.

For a certain index of network, its entropy can be defined as:

H=-log ₂v _i(formula 1)

Vi is the normalized performance parameter of this index of network.Obviously, after information network system is under attack, the uncertainty of its information increases, stability of a system variation, and entropy should increase.Therefore, can adopt " entropy is poor " Δ H=-log ₂(V ₂/ V ₁) attack effect is described.In formula, V1 is the original normalization performance parameter (as throughput, data traffic etc.) of network system, and V2 is the normalization performance parameter of network after under fire.Here need to consider following two kinds of situations.

(1) when network performance index value and attack effect are inversely proportional to download speed index as example, if recording the speed of download of network before is under fire V1, speed of download is under fire V2, they are normalized, obtaining normalized throughput is respectively: V1/VG, V2/VG, the highest speed of download that wherein Vg is network, can guarantee 0≤V2≤V1≤VG.The attack effect in this index of throughput is:

Δ H=-log ₂(V ₂/ V _g)-(-log ₂(V ₁/ V _g))=-log ₂(V ₂/ V ₁) (formula 2)

(2) when network performance index value is directly proportional to attack effect take network delay index as example, if recording the network delay of network before is under fire V1, network delay is under fire V2, they are normalized, obtaining normalized network delay is respectively: V1/VG, V2/VG, wherein VG stipulates can guarantee 0≤V1≤V2≤VG by network maximum delay in advance.The attack effect in this index of network delay is:

Δ H=-log ₂(1-V ₂/ V _g)-(-log ₂(1-V ₁/ V _g))=-log ₂((1-V ₂/ V _g)/(1-V ₁/ V _g)) (formula 3)

V2 change (comprise decline or rise) greatly, show that the effect of attacking is more obvious, Δ H is also larger, visible, Δ H can be used as the one description of attack effect really.

Then be the method for asking of weight coefficient.Suppose to have selected m evaluation index for certain class network attack, be denoted as { X1, X2..., Xm}.For qualitative evaluation index, can first carry out quantification treatment, therefore can think that all indexs are quantitative target.Supposition has simultaneously obtained n the sample about this m evaluation index, is denoted as Xij(i=1, and 2 ..., n; J=1,2 ..., m).In order to eliminate the impact of evaluation index dimension yardstick, need to carry out preliminary treatment to evaluation index sample.To reference value type evaluation index get its with reference to the absolute value of value difference, for general data, carry out corresponding normalization.Adopt following formula to carry out nondimensionalization to the sample value of each evaluation index.

$P_{\mathrm{ij}}=\frac{X_{\mathrm{ij}}}{\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{X}_{\mathrm{ij}}}(i=\mathrm{1,2},...n;j=\mathrm{1,2},...m)$ (formula 4)

Obviously meet 0≤Pij≤1,

meet the basic definition of concept of probability theory.Therefore Pij can be regarded as to the probability of a certain possibility value of evaluation index Xj.

After the probability distribution of value that obtains each evaluation index Xj, just can calculate according to the definition of comentropy the comentropy of each evaluation index.

$H\left(X_j\right)=-\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{P}_{\mathrm{ij}}{\log }_2{P}_{\mathrm{ij}}(j=\mathrm{1,2},...,m)$ (formula 5)

The ability of the intensity of variation reflection evaluation index difference evaluation object of evaluation index, intensity of variation is lower, and to distinguish the ability of evaluation object more weak, correspondingly can think that the significance level of this evaluation index in evaluation index system is lower, also the weight of this evaluation index is less.If wj(j=1,2 ..., m) represent respectively evaluation index X1, X2..., the weight of Xm}, wj and H(Xj) and between there is negative tropism relation, i.e. H(Xj) more wj is less, vice versa.Therefore, H(Xj) through suitable conversion, just can be used as the weight coefficient wj application of evaluation index Xj.

Adopt following two formula to determine the weight coefficient wj of evaluation index Xj herein:

W' _j=log ₂n-H (X _j) (j=1,2 ..., m) (formula 6)

$w_j=\frac{{w^{\&prime;}}_j}{\underset{j=1}{\overset{m}{\mathrm{\&Sigma;}}}{w^{\&prime;}}_j}(j=\mathrm{1,2},...,m)$ (formula 7)

Wherein: log ₂n represents the maximum informational entropy of the evaluation index of n sample, w _jrepresent the evaluation index X through normalized _jweight coefficient.

Two, method flow

According to the computational methods based on entropy mentioned above, can build relevant malicious code network attack recruitment evaluation design, its flow chart is as shown in Figure 1.

Step 1: network attack experiment.Experimentation, by carrying out overall description as the dendrogram of Fig. 2, by the control to correlation attack instrument, is realized the attack to destination host.Be included in and on current main frame, use another main frame of dos attack; And on multiple host, use another main frame of dos attack.

Step 2: the direct object of attack is to realize the variation of corresponding index, and change indicator comprises cpu busy percentage, network traffics, network delay and memory usage.According to the analysis of the feature to Denial of Service attack, can assess denial of service class attack effect by following index.

(1) network bandwidth occupancy

(2) CPU usage

(3) memory usage

(4) network delay

Step 3: for the normalization of the index of correlation gathering, concrete processing method is as follows:

(1) data all adopt the mean value of measuring for four times.

(2) cpu busy percentage adopts low disturbance state value (deducting the CPU value that download tool takies).

(3) cpu busy percentage and memory usage, because data before and after attacking increase to some extent, therefore adopt 1-V as normalized value.

(4) the normalization mode of speed of download is V/Vs, wherein the highest speed of download 12.5MB/S of Vs network.

(5) the normalization mode of network delay is V/Vs, and wherein maximum network postpones Vs definition 30ms.

Step 4: ask entropy.Utilize following formula to calculate entropy:

(1) when 0≤V2≤V1≤Vg,

ΔH＝-log ₂(V ₂/V _g)-(-log ₂(V ₁/V _g))＝-log ₂(V ₂/V ₁)

(2) when 0≤V1≤V2≤Vg,

ΔH＝-log ₂(1-V ₂/V _g)-(-log ₂(1-V ₁/V _g))＝-log ₂((1-V ₂/V _g)/(1-V ₁/V _g))

Step 5: adopt following two formula to determine the weight coefficient wj of evaluation index Xj herein:

w' _j＝log ₂n-H(X _j)(j＝1,2,...,m)

$w_j=\frac{{w^{\&prime;}}_j}{\underset{j=1}{\overset{m}{\mathrm{\&Sigma;}}}{w^{\&prime;}}_j}(j=\mathrm{1,2},...,m)$

Step 6: draw comprehensive evaluation effect.By following formula:

$H=\underset{i=1}{\overset{n}{\mathrm{\&Sigma;}}}{\mathrm{\&Delta;H}}_i*w_i.$

For convenience of description, our supposition has following application example:

(1) experiment porch

What experiment adopted with main frame is all Intel processors, inside saves as 3371MB, and operating system is MicrosoftWindows XP, and it is AldingUDP2 and the IPHACKER two dos attack instrument using under WindowsXP that software is used in test.

(2) experimental project

On current main frame, use IPHACKER to pass through another main frame of Denial of Service attack.

On two main frames, use IPHACKER to pass through another main frame of Denial of Service attack.

On current main frame, use AldingUPD moderate strength to attack another main frame.

On current main frame, use AldingUPD intensity to attack another main frame.

(3) experimental procedure

Step 1: malicious code network attack experiment, by the control to correlation attack instrument, realizes the attack to destination host;

Step 2: gather the variation of corresponding index in attack process, change indicator comprises cpu busy percentage, network traffics, network delay and memory usage;

Step 3: for the normalization of the index of correlation gathering;

Step 4: the entropy of obtaining each index;

Step 5: the weight coefficient of determining evaluation index;

Step 6: draw comprehensive quantitative assessment effect.

Claims (1)

1. the malicious code network attack evaluation method based on Information Entropy, is characterized in that the flow process of this appraisal procedure is as follows:

Step 1: network attack experiment, by the control to correlation attack instrument, realizes the attack to destination host;

Step 2: the direct object of attack is to realize the variation of corresponding index, and change indicator comprises cpu busy percentage, network traffics, network delay and memory usage; According to the analysis of the feature to Denial of Service attack, by network bandwidth occupancy, CPU usage, memory usage, the several indexs of network delay, assess denial of service class attack effect;

Step 3: for the normalization of the index of correlation gathering, concrete processing method is as follows:

1) data all adopt the mean value of measuring for four times;

2) cpu busy percentage adopts low disturbance state value to deduct the CPU value that download tool takies;

3) cpu busy percentage and memory usage, because data before and after attacking increase to some extent, therefore adopt 1-V as normalized value;

4) the normalization mode of speed of download is V/Vs, wherein the highest speed of download 12.5MB/S of Vs network; 5) network prolongs

Slow normalization mode is V/Vs, and wherein maximum network postpones Vs definition 30ms;

Step 4: ask entropy: as 0≤V2≤V1≤V _gtime, utilize Δ H=-log ₂(V ₂/ V ₁) formula calculating entropy; As 0≤V1≤V2≤V _gtime, utilize Δ H=-log ₂((1-V ₂/ V _g)/(1-V ₁/ V _g)) formula calculating entropy;

Wherein: V1 represents the network index before attack, the network index after V2 representative is attacked, V _grepresent network index maximum, △ H is the entropy after calculating;

Step 5: adopt w' _j=log ₂n-H (X _j) (j=1,2 ... m) and

two formula are determined evaluation index X _jweight coefficient w _j;

Wherein: X _jrepresent evaluation index, w ' _jrepresent weight coefficient, w _jrepresent the weight coefficient through the evaluation index Xj of normalized; N represents the evaluation index of sample; M is the number of evaluation index;

Step 6: pass through formula draw comprehensive evaluation effect;

Wherein: △ H is the entropy that step 4 calculates, w _jrepresent the weight coefficient that step 5 calculates.

Images